Justice Clearinghouse Editors (JCH): Your webinar is about CyberThreats and the Actors (or perpetrators) who commit these activities. I think most of us still think of “hackers” as teenagers or anti-social individuals who hang out in a basement and come up with ways to wreak havoc on “normal” society. Is this false impression? Who is the typical cyber threat actor these days?

Stacey Wright: I think the thing we have to get away from is the belief that there is a “typical” cyber threat actor. The bad actors committing cybercrimes range from those teenagers and anti-social geeks in the basement to sophisticated business structures with employees around the world. Today cybercrime is simply another business opportunity for many and it just happens to be (frequently) illegal. This is promoted by the impression that it’s easy to remain anonymous on the Internet, that there are no “real” victims and the fact that you can commit these acts in foreign countries, making it much more difficult to bring charges against you.

At the Multi-State Information Sharing and Analysis Center (MS-ISAC) we watch five different types of cyber threat actors – cybercriminals, hacktivists, nation-states, terrorists, and insiders. For this audience, I would add a sixth group of actors – “regular” criminals. These are people who are committing crimes that just happen to use cyber means. This includes gang members involved in identity theft and tax fraud, white collar criminals perpetrating online Ponzi schemes, and so on.

~~~~~

If you understand which tactics feed which motivations

and which motivations are more likely to be associated with a particular type of actor,

it can help you both investigate the activity and protect against it,

so this is helpful for both investigators working cybercrime and executives

and IT staff protecting networks and doing risk analysis.

~~~~~

JCH: What are the common cyber threat actor motivations?

Stacey: Motivations for cybercrime include all the standard motivations for real-world crimes including making money, opportunity, revenge, inspiring fear, hatred, espionage, and “lulz” (malicious fun). It’s important to understand that just like real-world crime, cybercrime can be opportunistically or strategically targeted and that difference is critical.

In opportunistic cybercrime, the actor chooses what they want to do and then finds systems that are vulnerable. Most malware, such as ransomware, keyloggers, viruses, and worms, are opportunistic cybercrimes. Think of this as comparable to a common home burglary. Most of the time the burglar is looking for an empty house that looks easy to break into and will have valuable items inside. They aren’t researching who owns the house. Malware seeking to infect computers does this, too, by searching for computers that have specific software on them or have known vulnerabilities. Most of the time the malware isn’t targeted at a specific computer or company. Website defacements are another opportunistic cybercrime. For the most part, the actors behind the website defacement are looking for a vulnerable website where they can easily gain access and mark it up with their own graphics and text, just like a graffiti artist looks for an available wall that meets their needs – they don’t often care who owns the wall.

On the other hand, strategic cybercrime is targeted toward a victim, meaning the actor chose who they wanted to target before figuring out how they can target that entity. Strategic attacks, like some malware and distributed denial of service (DDoS) attacks, can be more difficult to defend against because the actors have chosen you as a target, researched your weaknesses, and are specifically attempting to exploit those weaknesses.

JCH: So let’s apply this: Why is understanding who cyber threat actors are and their motivation so important? How would this kind of profiling be useful to a typical public safety agency?

Stacey: Understanding cyber threat actors and their motivations, as well as whether or not a particular tactic is opportunistic or strategic can help with your investigation or defense since they all cross-correlate to some degree. If you understand which tactics feed which motivations and which motivations are more likely to be associated with a particular type of actor, it can help you both investigate the activity and protect against it, so this is helpful for both investigators working cybercrime and executives and IT staff protecting networks and doing risk analysis.

On the investigative side, understanding the type of actor and motivations behind them can lead to a better understanding of the crime and potentially, the development of new leads. For instance, many justice organizations have been targeted by hacktivists during the past few years. Hacktivists are hacker-activists, cyber actors who are motivated by social, political, or ideological motivations. Just like other activists, some of what they do is perfectly legal, but some hacktivists also branch into illegal activity. Hacktivists are one of the more interesting actor groups as they act both opportunistically and strategically.

Opportunistic hacktivists commit crimes like website defacements. One of the more common defacements right now are defacements that have pro-ISIS messaging. As you can imagine, going to your website and seeing that it now has a pro-ISIS message on it would be pretty shocking. As a justice professional, it’s important to realize that this is a defacement and defacements are almost always opportunistic crime. In about 99% of defacements, the hacktivists are low-skilled actors who know how to exploit a particular vulnerability. They then look for any website where that vulnerability is present and exploit the vulnerability to tag the website with their message.

On the other hand, hacktivists strategically target justice agencies in response to a variety of controversial incidents including events that result from the alleged use of excessive force by a law enforcement officer, animal cruelty cases, and incidents involving the homeless or children. This activity might come in the form of a DDoS attack that attempts to block regular Internet traffic from accessing your website.

In both incidents, it’s a hacktivist behind the activity. However, the defacement isn’t worth pursuing as an investigation because, despite the alarming message, this is cyber graffiti from someone who didn’t care what website they targeted and is most likely overseas. The DDoS attack, though, might be from a local hacktivist in direct response to a local event. This incident is worth investigating to try to determine the actor, since there may be indicators as to who is behind the DDoS attack and it may be someone local. From a defense side, understanding your risk to the latter group of hacktivists (e.g. have you had previous controversial incidents?) can help determine your agency’s risk and protection strategy. From an executive point of view, it’s also important to know that a pro-ISIS group isn’t targeting your agency and that the activity was opportunistic.

~~~~~

In about 99% of defacements, the hacktivists are low-skilled actors

who know how to exploit a particular vulnerability.

They then look for any website where that vulnerability is present

and exploit the vulnerability to tag the website with their message.

~~~~~

JCH: I have to ask, with the world of cybercrime changing and growing so fast, how in the world do you and your team keep up with all of the changes and evolving threats? Any tips for how our members can keep a “finger on the pulse” of the cyberthreats happening?

Stacey: It’s not easy but fortunately, there are a lot of great resources out there from several of the federal agencies and their programs, such as DHS, US-CERT, and the FBI’s InfraGard, to open sources to the Information Sharing and Analysis Centers (ISAC). Ben Spear from the MS-ISAC previously covered many of these resources in the archived Justice Clearinghouse webinar from July 2017.

Obviously, though, I’m partial the MS-ISAC. DHS has designated the MS-ISAC as the focal point for cyber threat prevention, protection, response and recovery for the nation’s state, local territory and tribal (SLTT) governments. Membership in the MS-ISAC is free for all SLTT governments as we’re funded by the U.S. Department of Homeland Security (DHS). As a member, you’ll receive cyber information relevant to SLTT governments to help with both protecting your systems and better understanding cybercrime. To join MS-ISAC please fill out the application here and please mention you heard about us through the Justice Clearinghouse.

JCH: We have members from all parts of the justice arena. Can you share some specifics of what different types of justice professionals or first responders will gain by attending your webinar? What skills or new knowledge will they gain that they can immediately use the next day on the job?

Stacey: I think this webinar is a bit unique since you’re going to walk away from it with different things depending on your job. The senior executive will hopefully learn a bit more about who is likely to be targeting his/her justice agency and why. This will enable them to make better decisions about potential future risks and resource needs. The IT professional will also gain a better understanding of the types of cyber threat actors targeting his/her justice agency and why, but for them this information will help them in determining a response plan, including who they may need to involve, and what other knowledge or resources they may need to respond to incidents in the most effective manner possible. Finally, I hope this will also help the investigator better determine which incidents are worth a closer look and maybe even find a suspect.

As always, I’ll try to keep this presentation less technical than other cyber presentations and help everyone walk away with a better understanding of the actors and the risks toward your department and jurisdiction.